Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F9190
bug34907-1.18.patch
Public
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
bzimport
Nov 22 2014, 12:19 AM
2014-11-22 00:19:07 (UTC+0)
Size
7 KB
Referenced Files
None
Subscribers
None
bug34907-1.18.patch
View Options
Index: includes/OutputPage.php
===================================================================
--- includes/OutputPage.php (revision 114352)
+++ includes/OutputPage.php (working copy)
@@ -2359,8 +2359,7 @@
* @return string html <script> and <style> tags
*/
protected function makeResourceLoaderLink( Skin $skin, $modules, $only, $useESI = false ) {
- global $wgLoadScript, $wgResourceLoaderUseESI,
- $wgResourceLoaderInlinePrivateModules;
+ global $wgLoadScript, $wgResourceLoaderUseESI;
// Lazy-load ResourceLoader
// TODO: Should this be a static function of ResourceLoader instead?
$baseQuery = array(
@@ -2444,8 +2443,11 @@
$query['modules'] = ResourceLoader::makePackedModulesString( array_keys( $modules ) );
- // Support inlining of private modules if configured as such
- if ( $group === 'private' && $wgResourceLoaderInlinePrivateModules ) {
+ // Inline private modules. These can't be loaded through load.php for security
+ // reasons, see bug 34907. Note that these modules should be loaded from
+ // getHeadScripts() before the first loader call. Otherwise other modules can't
+ // properly use them as dependencies (bug 30914)
+ if ( $group === 'private' ) {
if ( $only == ResourceLoaderModule::TYPE_STYLES ) {
$links .= Html::inlineStyle(
$resourceLoader->makeModuleResponse( $context, $modules )
Index: includes/resourceloader/ResourceLoader.php
===================================================================
--- includes/resourceloader/ResourceLoader.php (revision 114352)
+++ includes/resourceloader/ResourceLoader.php (working copy)
@@ -164,7 +164,7 @@
$cache->set( $key, $result );
} catch ( Exception $exception ) {
// Return exception as a comment
- $result = "/*\n{$exception->__toString()}\n*/\n";
+ $result = $this->makeComment( $exception->__toString() );
}
wfProfileOut( __METHOD__ );
@@ -309,13 +309,20 @@
ob_start();
wfProfileIn( __METHOD__ );
- $exceptions = '';
+ $errors = '';
// Split requested modules into two groups, modules and missing
$modules = array();
$missing = array();
foreach ( $context->getModules() as $name ) {
if ( isset( $this->moduleInfos[$name] ) ) {
+ $module = $this->getModule( $name );
+ // Do not allow private modules to be loaded from the web.
+ // This is a security issue, see bug 34907.
+ if ( $module->getGroup() === 'private' ) {
+ $errors .= $this->makeComment( "Cannot show private module \"$name\"" );
+ continue;
+ }
$modules[$name] = $this->getModule( $name );
} else {
$missing[] = $name;
@@ -340,26 +347,21 @@
$this->preloadModuleInfo( array_keys( $modules ), $context );
} catch( Exception $e ) {
// Add exception to the output as a comment
- $exceptions .= "/*\n{$e->__toString()}\n*/\n";
+ $errors .= $this->makeComment( $e->__toString() );
}
wfProfileIn( __METHOD__.'-getModifiedTime' );
- $private = false;
// To send Last-Modified and support If-Modified-Since, we need to detect
// the last modified time
$mtime = wfTimestamp( TS_UNIX, $wgCacheEpoch );
foreach ( $modules as $module ) {
try {
- // Bypass Squid and other shared caches if the request includes any private modules
- if ( $module->getGroup() === 'private' ) {
- $private = true;
- }
// Calculate maximum modified time
$mtime = max( $mtime, $module->getModifiedTime( $context ) );
} catch ( Exception $e ) {
// Add exception to the output as a comment
- $exceptions .= "/*\n{$e->__toString()}\n*/\n";
+ $errors .= $this->makeComment( $e->__toString() );
}
}
@@ -376,13 +378,8 @@
header( 'Cache-Control: private, no-cache, must-revalidate' );
header( 'Pragma: no-cache' );
} else {
- if ( $private ) {
- header( "Cache-Control: private, max-age=$maxage" );
- $exp = $maxage;
- } else {
- header( "Cache-Control: public, max-age=$maxage, s-maxage=$smaxage" );
- $exp = min( $maxage, $smaxage );
- }
+ header( "Cache-Control: public, max-age=$maxage, s-maxage=$smaxage" );
+ $exp = min( $maxage, $smaxage );
header( 'Expires: ' . wfTimestamp( TS_RFC2822, $exp + time() ) );
}
@@ -422,12 +419,12 @@
$response = $this->makeModuleResponse( $context, $modules, $missing );
// Prepend comments indicating exceptions
- $response = $exceptions . $response;
+ $response = $errors . $response;
// Capture any PHP warnings from the output buffer and append them to the
// response in a comment if we're in debug mode.
if ( $context->getDebug() && strlen( $warnings = ob_get_contents() ) ) {
- $response = "/*\n$warnings\n*/\n" . $response;
+ $response = $this->makeComment( $warnings ) . $response;
}
// Remove the output buffer and output the response
@@ -437,6 +434,11 @@
wfProfileOut( __METHOD__ );
}
+ protected function makeComment( $text ) {
+ $encText = str_replace( '*/', '* /', $text );
+ return "/*\n$encText\n*/\n";
+ }
+
/**
* Generates code for a response
*
@@ -461,7 +463,7 @@
$blobs = MessageBlobStore::get( $this, $modules, $context->getLanguage() );
} catch ( Exception $e ) {
// Add exception to the output as a comment
- $exceptions .= "/*\n{$e->__toString()}\n*/\n";
+ $exceptions .= $this->makeComment( $e->__toString() );
}
} else {
$blobs = array();
@@ -534,7 +536,7 @@
}
} catch ( Exception $e ) {
// Add exception to the output as a comment
- $exceptions .= "/*\n{$e->__toString()}\n*/\n";
+ $exceptions .= $this->makeComment( $e->__toString() );
// Register module as missing
$missing[] = $name;
Index: includes/resourceloader/ResourceLoaderUserOptionsModule.php
===================================================================
--- includes/resourceloader/ResourceLoaderUserOptionsModule.php (revision 114352)
+++ includes/resourceloader/ResourceLoaderUserOptionsModule.php (working copy)
@@ -45,38 +45,17 @@
global $wgUser;
- if ( $context->getUser() === $wgUser->getName() ) {
- return $this->modifiedTime[$hash] = wfTimestamp( TS_UNIX, $wgUser->getTouched() );
- } else {
- return 1;
- }
+ return $this->modifiedTime[$hash] = wfTimestamp( TS_UNIX, $wgUser->getTouched() );
}
/**
- * Fetch the context's user options, or if it doesn't match current user,
- * the default options.
- *
- * @param $context ResourceLoaderContext: Context object
- * @return Array: List of user options keyed by option name
- */
- protected function contextUserOptions( ResourceLoaderContext $context ) {
- global $wgUser;
-
- // Verify identity -- this is a private module
- if ( $context->getUser() === $wgUser->getName() ) {
- return $wgUser->getOptions();
- } else {
- return User::getDefaultOptions();
- }
- }
-
- /**
* @param $context ResourceLoaderContext
* @return string
*/
public function getScript( ResourceLoaderContext $context ) {
+ global $wgUser;
return Xml::encodeJsCall( 'mw.user.options.set',
- array( $this->contextUserOptions( $context ) ) );
+ array( $wgUser->getOptions() ) );
}
/**
@@ -84,10 +63,10 @@
* @return array
*/
public function getStyles( ResourceLoaderContext $context ) {
- global $wgAllowUserCssPrefs;
+ global $wgAllowUserCssPrefs, $wgUser;
if ( $wgAllowUserCssPrefs ) {
- $options = $this->contextUserOptions( $context );
+ $options = $wgUser->getOptions();
// Build CSS rules
$rules = array();
Index: includes/DefaultSettings.php
===================================================================
--- includes/DefaultSettings.php (revision 114352)
+++ includes/DefaultSettings.php (working copy)
@@ -2494,13 +2494,6 @@
);
/**
- * Whether to embed private modules inline with HTML output or to bypass
- * caching and check the user parameter against $wgUser to prevent
- * unauthorized access to private modules.
- */
-$wgResourceLoaderInlinePrivateModules = true;
-
-/**
* The default debug mode (on/off) for of ResourceLoader requests. This will still
* be overridden when the debug URL parameter is used.
*/
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8696
Default Alt Text
bug34907-1.18.patch (7 KB)
Attached To
Mode
T36907: CSRF token-stealing attack (user.tokens)
Attached
Detach File
Event Timeline
Log In to Comment